BitTorrent fixed a vulnerability that would have allowed attackers to hijack BitTorrent applications used by hundreds of millions of users in order to amplify distributed denial-of-service (DDoS) attacks.\nThe vulnerability was located in libuTP, a reference implementation of the Micro Transport Protocol (uTP) that's used by many popular BitTorrent clients including uTorrent, Vuze, Transmission and the BitTorrent mainline client.\nThe flaw was disclosed earlier this month in a paper presented at the 9th USENIX Workshop on Offensive Technologies by four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid.\nDDoS amplification is an increasingly popular technique among attackers and can generate very large traffic volumes. It involves sending rogue requests to a large number of servers that appear to originate from the IP (Internet Protocol) address of a target chosen by attackers. This tricks those servers into sending their responses to the spoofed IP address instead of the original sender, flooding the victim with data packets.\nThe technique has the effect of hiding the source of the original traffic, which is known as reflection, but can also significantly amplify it if the generated responses are larger in size than the requests that triggered them.\nThis type of attack typically affects protocols that rely on the User Datagram Protocol (UDP) for data transmission, because UDP does not perform source address validation. In their paper, the four researchers showed that uTP is one such protocol.\nThey showed that an attacker could send a connection request with a spoofed address to a BitTorrent client forcing it to send an acknowledgement (ACK) packet to the victim. The attacker could then send a second request with the same spoofed address and a random ACK number to initiate a BitTorrent handshake.\nThe BitTorrent client would accept this second request as well and would send a handshake response to the victim. However, since the victim would not expect the packet, it wouldn't respond back, forcing the BitTorrent client to resend the data up to 4 times, amplifying the traffic that the attackers can generate.\nIn order to fix the issue, BitTorrent, the company that maintains libuTP, modified the library so that it properly verifies the ACK number accompanying the second request. If it doesn't match the one sent to the victim in the first packet, it will drop the connection.\nThe change does not prevent DDoS reflection but kills the amplification effect.\nIt would be fairly difficult for an attacker to guess the acknowledgement number for a sufficiently large number of reflectors, a BitTorrent engineer said in a blog post Thursday that explains the fix in detail.\nThe latest versions of uTorrent, BitTorrent mainline and BitTorrent Sync, which are developed by the company, have included the fix since Aug. 4.\nThe change does not affect backwards compatibility with older versions of those applications nor with third-party BitTorrent clients that use libuTP, a BitTorrent engineer said via email. "Nonetheless, we encourage other developers to ensure their implementations properly enforce acknowledgment number sequencing."\nOther protocols designed by the company that rely on\u00a0libuTP, like the Message Stream Encryption (MSE), are also protected.